Edit tour

Windows Analysis Report
tSftorqHTy.exe

Overview

General Information

Sample name:	tSftorqHTy.exe renamed because original name is a hash value
Original sample name:	2bbb422d5c12723784ee8139173b72ebf1ee0b88ba45b7e6c08265e53dc2fb14.exe
Analysis ID:	1632313
MD5:	c2792411f364989ec0d213a3ab7c4f94
SHA1:	ea0aa28c567ba49407fe84f2df04d232ac7b9147
SHA256:	2bbb422d5c12723784ee8139173b72ebf1ee0b88ba45b7e6c08265e53dc2fb14
Tags:	exeMassLoggeruser-adrian__luca
Infos:

Detection

MSIL Logger, MassLogger RAT

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected MSIL Logger

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

tSftorqHTy.exe (PID: 3036 cmdline: "C:\Users\user\Desktop\tSftorqHTy.exe" MD5: C2792411F364989EC0D213A3AB7C4F94)

RegSvcs.exe (PID: 6584 cmdline: "C:\Users\user\Desktop\tSftorqHTy.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "securityz@grupomaya.mx", "Password": "    54460hetteXzeLJ  Z+l!UyU_nadu     \u2605\u0b9c\u0b9c", "Server": "mail.grupomaya.mx", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2594091779.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.2594091779.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2594091779.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000002.00000002.2594091779.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.2594091779.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefb7:$a1: get_encryptedPassword 0xf2df:$a2: get_encryptedUsername 0xed52:$a3: get_timePasswordChanged 0xee73:$a4: get_passwordField 0xefcd:$a5: set_encryptedPassword 0x10929:$a7: get_logins 0x105da:$a8: GetOutlookPasswords 0x103cc:$a9: StartKeylogger 0x10879:$a10: KeyLoggerEventArgs 0x10429:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1b7:$a1: get_encryptedPassword 0xf4df:$a2: get_encryptedUsername 0xef52:$a3: get_timePasswordChanged 0xf073:$a4: get_passwordField 0xf1cd:$a5: set_encryptedPassword 0x10b29:$a7: get_logins 0x107da:$a8: GetOutlookPasswords 0x105cc:$a9: StartKeylogger 0x10a79:$a10: KeyLoggerEventArgs 0x10629:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14191:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1368f:$a3: \Google\Chrome\User Data\Default\Login Data 0x1399d:$a4: \Orbitum\User Data\Default\Login Data 0x14795:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: tSftorqHTy.exe PID: 3036	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: tSftorqHTy.exe PID: 3036	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: tSftorqHTy.exe PID: 3036	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: tSftorqHTy.exe PID: 3036	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: tSftorqHTy.exe PID: 3036	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd90c0:$a1: get_encryptedPassword 0xd93d9:$a2: get_encryptedUsername 0xd8e6f:$a3: get_timePasswordChanged 0xd8f90:$a4: get_passwordField 0xd90d6:$a5: set_encryptedPassword 0xda9d9:$a7: get_logins 0xda68a:$a8: GetOutlookPasswords 0xda47c:$a9: StartKeylogger 0xda929:$a10: KeyLoggerEventArgs 0xda4d9:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 6584	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6584	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6584	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
Process Memory Space: RegSvcs.exe PID: 6584	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6584	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x14ce0:$a1: get_encryptedPassword 0x14ff9:$a2: get_encryptedUsername 0x14a8f:$a3: get_timePasswordChanged 0x14bb0:$a4: get_passwordField 0x14cf6:$a5: set_encryptedPassword 0x165f9:$a7: get_logins 0x162aa:$a8: GetOutlookPasswords 0x1609c:$a9: StartKeylogger 0x16549:$a10: KeyLoggerEventArgs 0x160f9:$a11: KeyLoggerEventArgsEventHandler
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.tSftorqHTy.exe.aa0000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.tSftorqHTy.exe.aa0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.tSftorqHTy.exe.aa0000.1.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.tSftorqHTy.exe.aa0000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.tSftorqHTy.exe.aa0000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3b7:$a1: get_encryptedPassword 0xd6df:$a2: get_encryptedUsername 0xd152:$a3: get_timePasswordChanged 0xd273:$a4: get_passwordField 0xd3cd:$a5: set_encryptedPassword 0xed29:$a7: get_logins 0xe9da:$a8: GetOutlookPasswords 0xe7cc:$a9: StartKeylogger 0xec79:$a10: KeyLoggerEventArgs 0xe829:$a11: KeyLoggerEventArgsEventHandler
0.2.tSftorqHTy.exe.aa0000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12391:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1188f:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b9d:$a4: \Orbitum\User Data\Default\Login Data 0x12995:$a5: \Kometa\User Data\Default\Login Data
0.2.tSftorqHTy.exe.aa0000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.tSftorqHTy.exe.aa0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.tSftorqHTy.exe.aa0000.1.raw.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
0.2.tSftorqHTy.exe.aa0000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.tSftorqHTy.exe.aa0000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1b7:$a1: get_encryptedPassword 0xf4df:$a2: get_encryptedUsername 0xef52:$a3: get_timePasswordChanged 0xf073:$a4: get_passwordField 0xf1cd:$a5: set_encryptedPassword 0x10b29:$a7: get_logins 0x107da:$a8: GetOutlookPasswords 0x105cc:$a9: StartKeylogger 0x10a79:$a10: KeyLoggerEventArgs 0x10629:$a11: KeyLoggerEventArgsEventHandler
0.2.tSftorqHTy.exe.aa0000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14191:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1368f:$a3: \Google\Chrome\User Data\Default\Login Data 0x1399d:$a4: \Orbitum\User Data\Default\Login Data 0x14795:$a5: \Kometa\User Data\Default\Login Data
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_MSILLogger	Yara detected MSIL Logger	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1b7:$a1: get_encryptedPassword 0xf4df:$a2: get_encryptedUsername 0xef52:$a3: get_timePasswordChanged 0xf073:$a4: get_passwordField 0xf1cd:$a5: set_encryptedPassword 0x10b29:$a7: get_logins 0x107da:$a8: GetOutlookPasswords 0x105cc:$a9: StartKeylogger 0x10a79:$a10: KeyLoggerEventArgs 0x10629:$a11: KeyLoggerEventArgsEventHandler
2.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14191:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1368f:$a3: \Google\Chrome\User Data\Default\Login Data 0x1399d:$a4: \Orbitum\User Data\Default\Login Data 0x14795:$a5: \Kometa\User Data\Default\Login Data
Click to see the 13 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 198.59.144.139, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 6584, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49697

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T22:13:48.432256+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49695	132.226.247.73	80	TCP
2025-03-07T22:13:57.604075+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49695	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: tSftorqHTy.exe

Avira: detected

Found malware configuration

Source: 2.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "securityz@grupomaya.mx", "Password": " 54460hetteXzeLJ Z+l!UyU_nadu \u2605\u0b9c\u0b9c", "Server": "mail.grupomaya.mx", "Port": 587}

Multi AV Scanner detection for submitted file

Source: tSftorqHTy.exe	Virustotal: Detection: 61%			Perma Link
Source: tSftorqHTy.exe	ReversingLabs: Detection: 60%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: tSftorqHTy.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49696 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: tSftorqHTy.exe, 00000000.00000003.1372543016.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, tSftorqHTy.exe, 00000000.00000003.1373283962.0000000004070000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: tSftorqHTy.exe, 00000000.00000003.1372543016.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, tSftorqHTy.exe, 00000000.00000003.1373283962.0000000004070000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004339B6
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452492
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442886
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_004788BD
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,	0_2_0045CAFA
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00431A86
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD27
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_0045DE8F FindFirstFileW,FindClose,	0_2_0045DE8F
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01099731h	2_2_01099480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01099E5Ah	2_2_01099A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01099E5Ah	2_2_01099A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 01099E5Ah	2_2_01099D87

Source: global traffic

TCP traffic: 192.168.2.5:49697 -> 198.59.144.139:587

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 198.59.144.139 198.59.144.139
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

ASN Name: HYPEENT-SJUS HYPEENT-SJUS

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49695 -> 132.226.247.73:80

Source: global traffic

TCP traffic: 192.168.2.5:49697 -> 198.59.144.139:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49696 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_004422FE InternetQueryDataAvailable,InternetReadFile,

0_2_004422FE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: mail.grupomaya.mx

Source: RegSvcs.exe, 00000002.00000002.2595080414.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000002.00000002.2595080414.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegSvcs.exe, 00000002.00000002.2595080414.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2595080414.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000002.00000002.2595080414.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000002.00000002.2595080414.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: tSftorqHTy.exe, 00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2594091779.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000002.00000002.2595080414.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RegSvcs.exe, 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://grupomaya.mx
Source: RegSvcs.exe, 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://grupomaya.mxd
Source: RegSvcs.exe, 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.grupomaya.mx
Source: RegSvcs.exe, 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.grupomaya.mxd
Source: RegSvcs.exe, 00000002.00000002.2596505211.000000000603F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2594241259.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2596505211.0000000006000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/0
Source: RegSvcs.exe, 00000002.00000002.2596505211.000000000603F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2594241259.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2596505211.0000000006000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: RegSvcs.exe, 00000002.00000002.2595080414.0000000002C0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000002.00000002.2595080414.0000000002C0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RegSvcs.exe, 00000002.00000002.2595080414.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.2596505211.000000000603F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2594241259.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2596505211.0000000006000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: RegSvcs.exe, 00000002.00000002.2596505211.000000000603F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2594241259.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2596505211.0000000006000000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: RegSvcs.exe, 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: tSftorqHTy.exe, 00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2594091779.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000002.00000002.2595080414.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: tSftorqHTy.exe, 00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2594091779.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2595080414.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000002.00000002.2595080414.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: RegSvcs.exe, 00000002.00000002.2595080414.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.tSftorqHTy.exe.aa0000.1.raw.unpack, UltraSpeed.cs

.Net Code: VKCodeToUnicode

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0045A10F

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0045A10F

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,

0_2_0046DC80

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,

0_2_0044C37A

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0047C81C

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.tSftorqHTy.exe.aa0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.tSftorqHTy.exe.aa0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.tSftorqHTy.exe.aa0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.tSftorqHTy.exe.aa0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.2594091779.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: Process Memory Space: tSftorqHTy.exe PID: 3036, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 6584, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00431BE8

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00446313

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,

0_2_004333BE

Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_004096A0	0_2_004096A0
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_0042200C	0_2_0042200C
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_0041A217	0_2_0041A217
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_00412216	0_2_00412216
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_0042435D	0_2_0042435D
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_004033C0	0_2_004033C0
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_0044F430	0_2_0044F430
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_004125E8	0_2_004125E8
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_0044663B	0_2_0044663B
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_00413801	0_2_00413801
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_0042096F	0_2_0042096F
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_004129D0	0_2_004129D0
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_004119E3	0_2_004119E3
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_0041C9AE	0_2_0041C9AE
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_0047EA6F	0_2_0047EA6F
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_0040FA10	0_2_0040FA10
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_0044EB5F	0_2_0044EB5F
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_00423C81	0_2_00423C81
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_00411E78	0_2_00411E78
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_00442E0C	0_2_00442E0C
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_00420EC0	0_2_00420EC0
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_0044CF17	0_2_0044CF17
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_00444FD2	0_2_00444FD2
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_00A83600	0_2_00A83600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0109C530	2_2_0109C530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_010927B9	2_2_010927B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01092DD1	2_2_01092DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01099480	2_2_01099480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0109C521	2_2_0109C521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0109946F	2_2_0109946F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_069F2630	2_2_069F2630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_069F4D78	2_2_069F4D78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_069FBAD8	2_2_069FBAD8

Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: String function: 004115D7 appears 36 times
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: String function: 00416C70 appears 39 times
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: String function: 00445AE0 appears 65 times

Source: tSftorqHTy.exe, 00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs tSftorqHTy.exe
Source: tSftorqHTy.exe, 00000000.00000003.1372683622.000000000419D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs tSftorqHTy.exe
Source: tSftorqHTy.exe, 00000000.00000003.1372543016.0000000003FF3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs tSftorqHTy.exe

Source: tSftorqHTy.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.tSftorqHTy.exe.aa0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.tSftorqHTy.exe.aa0000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.tSftorqHTy.exe.aa0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.tSftorqHTy.exe.aa0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.2594091779.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: tSftorqHTy.exe PID: 3036, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 6584, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 0.2.tSftorqHTy.exe.aa0000.1.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.tSftorqHTy.exe.aa0000.1.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@3/3

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_0044AF6C GetLastError,FormatMessageW,

0_2_0044AF6C

Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,		0_2_004333BE
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,		0_2_00464EAE

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,

0_2_0045D619

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,

0_2_004755C4

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0047839D

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

0_2_0043305F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\tSftorqHTy.exe

File created: C:\Users\user\AppData\Local\Temp\autF585.tmp

Jump to behavior

Source: tSftorqHTy.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\tSftorqHTy.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.2595080414.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2595080414.0000000002C83000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2595080414.0000000002C60000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2595080414.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2595080414.0000000002C6E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2595938699.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: tSftorqHTy.exe	Virustotal: Detection: 61%
Source: tSftorqHTy.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\tSftorqHTy.exe

File read: C:\Users\user\Desktop\tSftorqHTy.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\tSftorqHTy.exe "C:\Users\user\Desktop\tSftorqHTy.exe"
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\tSftorqHTy.exe"
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\tSftorqHTy.exe"	Jump to behavior

Source: C:\Users\user\Desktop\tSftorqHTy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: tSftorqHTy.exe

Static file information: File size 80740352 > 1048576

Source:	Binary string: wntdll.pdbUGP source: tSftorqHTy.exe, 00000000.00000003.1372543016.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, tSftorqHTy.exe, 00000000.00000003.1373283962.0000000004070000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: tSftorqHTy.exe, 00000000.00000003.1372543016.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, tSftorqHTy.exe, 00000000.00000003.1373283962.0000000004070000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,

0_2_0040EBD0

Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_00416CB5 push ecx; ret		0_2_00416CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_069F8EAC push es; retf		2_2_069F8EB4

Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_0047A330
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00434418

Source: C:\Users\user\Desktop\tSftorqHTy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\tSftorqHTy.exe

API/Special instruction interceptor: Address: A83224

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 3337			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1182			Jump to behavior

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-87528

Source: C:\Users\user\Desktop\tSftorqHTy.exe

API coverage: 4.2 %

Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004339B6
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00452492
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00442886
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_004788BD
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,	0_2_0045CAFA
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00431A86
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,	0_2_0044BD27
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_0045DE8F FindFirstFileW,FindClose,	0_2_0045DE8F
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0044BF8B

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,

0_2_0040E500

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99410	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99158	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98997	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98647	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98537	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97369	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.2594241259.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1

Source: C:\Users\user\Desktop\tSftorqHTy.exe

API call chain: ExitProcess graph end node

graph_0-86634

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_0045A370 BlockInput,

0_2_0045A370

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,

0_2_0040D590

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_0040EBD0 LoadLibraryA,GetProcAddress,

0_2_0040EBD0

Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_00A83490 mov eax, dword ptr fs:[00000030h]	0_2_00A83490
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_00A834F0 mov eax, dword ptr fs:[00000030h]	0_2_00A834F0
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_00A81E70 mov eax, dword ptr fs:[00000030h]	0_2_00A81E70

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_004238DA

Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_0041F250 SetUnhandledExceptionFilter,	0_2_0041F250
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041A208
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00417DAA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.tSftorqHTy.exe.aa0000.1.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.tSftorqHTy.exe.aa0000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.tSftorqHTy.exe.aa0000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: A52008

Jump to behavior

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_00436CD7 LogonUserW,

0_2_00436CD7

Source: C:\Users\user\Desktop\tSftorqHTy.exe

0_2_0040D590

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00434418

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,

0_2_0043333C

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\tSftorqHTy.exe"

Jump to behavior

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00446124

Source: tSftorqHTy.exe	Binary or memory string: Shell_TrayWnd
Source: tSftorqHTy.exe	Binary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,

0_2_004720DB

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_00472C3F GetUserNameW,

0_2_00472C3F

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_0041E364

Source: C:\Users\user\Desktop\tSftorqHTy.exe

Code function: 0_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,

0_2_0040E500

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MSIL Logger

Source: Yara match	File source: 0.2.tSftorqHTy.exe.aa0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tSftorqHTy.exe.aa0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2594091779.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tSftorqHTy.exe PID: 3036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6584, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.tSftorqHTy.exe.aa0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tSftorqHTy.exe.aa0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2594091779.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tSftorqHTy.exe PID: 3036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6584, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.tSftorqHTy.exe.aa0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tSftorqHTy.exe.aa0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2594091779.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tSftorqHTy.exe PID: 3036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6584, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: tSftorqHTy.exe	Binary or memory string: WIN_XP
Source: tSftorqHTy.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
Source: tSftorqHTy.exe	Binary or memory string: WIN_XPe
Source: tSftorqHTy.exe	Binary or memory string: WIN_VISTA
Source: tSftorqHTy.exe	Binary or memory string: WIN_7
Source: tSftorqHTy.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 0.2.tSftorqHTy.exe.aa0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tSftorqHTy.exe.aa0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2594091779.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tSftorqHTy.exe PID: 3036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6584, type: MEMORYSTR

Remote Access Functionality

Yara detected MSIL Logger

Source: Yara match	File source: 0.2.tSftorqHTy.exe.aa0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tSftorqHTy.exe.aa0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2594091779.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tSftorqHTy.exe PID: 3036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6584, type: MEMORYSTR

Yara detected MassLogger RAT

Source: Yara match	File source: 0.2.tSftorqHTy.exe.aa0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tSftorqHTy.exe.aa0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2594091779.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tSftorqHTy.exe PID: 3036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6584, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 0.2.tSftorqHTy.exe.aa0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tSftorqHTy.exe.aa0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2594091779.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tSftorqHTy.exe PID: 3036, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6584, type: MEMORYSTR

Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_004652BE
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00476619
Source: C:\Users\user\Desktop\tSftorqHTy.exe	Code function: 0_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	0_2_0046CEF3

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	12 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	117 System Information Discovery	Distributed Component Object Model	121 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	121 Security Software Discovery	SSH	3 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Virtualization/Sandbox Evasion	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
tSftorqHTy.exe	62%	Virustotal		Browse
tSftorqHTy.exe	61%	ReversingLabs	Win32.Trojan.Autoitinject
tSftorqHTy.exe	100%	Avira	TR/Dropper.Gen

Source	Detection	Scanner	Label
http://mail.grupomaya.mxd	0%	Avira URL Cloud	safe
http://grupomaya.mxd	0%	Avira URL Cloud	safe
http://mail.grupomaya.mx	0%	Avira URL Cloud	safe
http://grupomaya.mx	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.16.1	true	false	high
grupomaya.mx	198.59.144.139	true	true	unknown
checkip.dyndns.com	132.226.247.73	true	false	high
mail.grupomaya.mx	unknown	unknown	true	unknown
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false		high
http://checkip.dyndns.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot	RegSvcs.exe, 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://grupomaya.mxd	RegSvcs.exe, 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://reallyfreegeoip.orgd	RegSvcs.exe, 00000002.00000002.2595080414.0000000002C0D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.grupomaya.mxd	RegSvcs.exe, 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://r10.o.lencr.org0#	RegSvcs.exe, 00000002.00000002.2596505211.000000000603F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2594241259.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2596505211.0000000006000000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	RegSvcs.exe, 00000002.00000002.2595080414.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2595080414.0000000002BDE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.grupomaya.mx	RegSvcs.exe, 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.189l	RegSvcs.exe, 00000002.00000002.2595080414.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.comd	RegSvcs.exe, 00000002.00000002.2595080414.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	RegSvcs.exe, 00000002.00000002.2596505211.000000000603F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2594241259.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2596505211.0000000006000000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	RegSvcs.exe, 00000002.00000002.2596505211.000000000603F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2594241259.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2596505211.0000000006000000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	tSftorqHTy.exe, 00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2594091779.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/8.46.123.189d	RegSvcs.exe, 00000002.00000002.2595080414.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.2595080414.0000000002C0D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgd	RegSvcs.exe, 00000002.00000002.2595080414.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org	RegSvcs.exe, 00000002.00000002.2595080414.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://checkip.dyndns.com	RegSvcs.exe, 00000002.00000002.2595080414.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://grupomaya.mx	RegSvcs.exe, 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/d	RegSvcs.exe, 00000002.00000002.2595080414.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.2595080414.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot-/sendDocument?chat_id=	tSftorqHTy.exe, 00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2594091779.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false		high
http://r10.i.lencr.org/0	RegSvcs.exe, 00000002.00000002.2596505211.000000000603F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2594241259.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2596505211.0000000006000000.00000004.00000020.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	tSftorqHTy.exe, 00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2594091779.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2595080414.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.16.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
198.59.144.139	grupomaya.mx	United States	13332	HYPEENT-SJUS	true
132.226.247.73	checkip.dyndns.com	United States	16989	UTMEMUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1632313
Start date and time:	2025-03-07 22:12:46 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	tSftorqHTy.exe renamed because original name is a hash value
Original Sample Name:	2bbb422d5c12723784ee8139173b72ebf1ee0b88ba45b7e6c08265e53dc2fb14.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 67 Number of non-executed functions: 294
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209, 150.171.28.10
Excluded domains from analysis (whitelisted): c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, fs.microsoft.com, g.bing.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:13:56	API Interceptor	23x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.16.1	0IrTeguWM7.exe	Get hash	malicious	FormBook	Browse	www.tumbetgirislinki.fit/ftbq/
	Shipping Document.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/6m32/
	Payment Record.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	Invoice Remittance ref27022558.exe	Get hash	malicious	FormBook	Browse	www.rbopisalive.cyou/a669/
	ujXpculHYDYhc6i.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sss2/five/fre.php
	368c6e62-b031-5b65-fd43-e7a610184138.eml	Get hash	malicious	HTMLPhisher	Browse	ce60771026585.oakdiiocese.org/p/298?session=770558a25b5d1fcbb8d81f113631d430f5b8d022cdc6d97cf6b16a412a3be9e6
	http://orico-rapaciid.xqyrr.cn/eorico/login/	Get hash	malicious	Unknown	Browse	orico-rapaciid.xqyrr.cn/favicon.ico
	Order confirmation.exe	Get hash	malicious	FormBook	Browse	www.englishmaterials.net/3nop/?-Z=cjlpd&Vz=5VQMUr9vdJst/aGqnmtehORilpahgrSgoeoRp4hSLdasMjOC27ijg2BR7Ep4jmwJ4Zkm
	Bank Transfer Accounting Copy.Vbs.vbs	Get hash	malicious	FormBook	Browse	www.fz977.xyz/48bq/
	PO from tpc Type 34.1 34,2 35 Spec.js	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
198.59.144.139	TfRJR0Y3uW.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse
	NmuA605dM4.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse
	qUG1ZROxLJ.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse
	Pago 20250211.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse
	ESrXps2S0J.exe	Get hash	malicious	MassLogger RAT	Browse
	owcaUFSF2e.exe	Get hash	malicious	MassLogger RAT	Browse
	Cp3HR4KHgC.exe	Get hash	malicious	MassLogger RAT	Browse
132.226.247.73	DayVXJx1km.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	cexqIzhyvM.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	drRbNknjyb.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	pkNnK2ya0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	DHL Shipping Details Ref ID 446331798008765975594-pdf.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	ZTEIhNCtP3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	uPDwUy9ewY.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	qUG1ZROxLJ.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	checkip.dyndns.org/
	HT4YGXBRtx.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	4LJHFzA8jr.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	O20L0ptxGs.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	DayVXJx1km.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	NDCNDvC27F.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	NDCNDvC27F.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	cexqIzhyvM.exe	Get hash	malicious	GuLoader	Browse	132.226.247.73
	3c638k0NJx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	drRbNknjyb.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	3GrfjMY0pG.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	TfRJR0Y3uW.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169
	DNNueAb5UZ.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
reallyfreegeoip.org	O20L0ptxGs.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	DayVXJx1km.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.64.1
	NDCNDvC27F.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.32.1
	NDCNDvC27F.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.48.1
	cexqIzhyvM.exe	Get hash	malicious	GuLoader	Browse	104.21.96.1
	3c638k0NJx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	drRbNknjyb.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.48.1
	3GrfjMY0pG.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	TfRJR0Y3uW.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.32.1
	DNNueAb5UZ.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Play_Voicemail_Transcription._(387.KB).svg	Get hash	malicious	HTMLPhisher	Browse	172.67.167.74
	tmezkNPazz.exe	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	DQBok03QL1.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.187.236
	ORLVDnEcC3.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.189.66
	kS9YOZjwfn.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	rakf6nyw06.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.187.236
	Z6ojPnRBp1.exe	Get hash	malicious	RedLine	Browse	104.26.13.31
	thUKanu6GD.lnk	Get hash	malicious	HTMLPhisher, MalLnk	Browse	188.114.96.3
	iJIXzyHnSe.exe	Get hash	malicious	FormBook	Browse	172.67.194.22
	O20L0ptxGs.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
HYPEENT-SJUS	TfRJR0Y3uW.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	198.59.144.139
	NmuA605dM4.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	198.59.144.139
	qUG1ZROxLJ.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	198.59.144.139
	arm.elf	Get hash	malicious	Unknown	Browse	206.206.98.7
	Pago 20250211.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	198.59.144.139
	https://www.irmaflores.net/suh/*	Get hash	malicious	Unknown	Browse	206.206.123.61
	linux_ppc64el.elf	Get hash	malicious	Chaos	Browse	206.206.76.202
	linux_arm6.elf	Get hash	malicious	Chaos	Browse	206.206.76.202
	linux_arm7.elf	Get hash	malicious	Chaos	Browse	206.206.76.202
	linux_amd64.elf	Get hash	malicious	Chaos	Browse	206.206.76.202
UTMEMUS	DayVXJx1km.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	NDCNDvC27F.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	cexqIzhyvM.exe	Get hash	malicious	GuLoader	Browse	132.226.247.73
	drRbNknjyb.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	TfRJR0Y3uW.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169
	DNNueAb5UZ.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	NmuA605dM4.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	132.226.8.169
	4PYRGCo1Di.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	pkNnK2ya0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	XiJhd7Lx30.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Z6ojPnRBp1.exe	Get hash	malicious	RedLine	Browse	104.21.16.1
	O20L0ptxGs.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	DayVXJx1km.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.16.1
	NDCNDvC27F.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.16.1
	NDCNDvC27F.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.16.1
	cexqIzhyvM.exe	Get hash	malicious	GuLoader	Browse	104.21.16.1
	3c638k0NJx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	drRbNknjyb.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	3GrfjMY0pG.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	TfRJR0Y3uW.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.16.1

Process:	C:\Users\user\Desktop\tSftorqHTy.exe
File Type:	data
Category:	dropped
Size (bytes):	16354
Entropy (8bit):	7.504858870121142
Encrypted:	false
SSDEEP:	384:NrBdiwTfVE5f+P9pIKoLmy9klpJv7pY/H:D4GfA+FWKA52lpJe/H
MD5:	E2681733E529DA6D5DCE70E3061E128C
SHA1:	1859026F760B2875630023074D80EC09E19193CF
SHA-256:	74052588C980D56FDB924155B2E6A80CF36E153F9E6C1670AF56DA07F915384B
SHA-512:	EAB43F5A4A909BE20DFE46BEB6B9AD66F34FA8FB4AEB17406BB13920930F3E94EFE44BDE0E2BE0CB3211A2ECCAEB022446FBE698C0A19A4C0465CE03533A9535
Malicious:	false
Reputation:	low
Preview:	EA06..`&.N&3)..m5.L...x.....+...n....(.V.`..4........#92.........M..>i....8.2..@...(.W.6......9........K\|..o....B....V..o.d.i...h~3.!....9...@.?.{....6.....?..(...3.....?.......9....?..!.r.....\|. 8O..j...M..?......6.8..`C.......}..P\|...=....-....@i.........\|.`...<!........y.........:......p.....X...Z....C.-......?.....[2....@<>{(...o4....C..p-...j........0-..Vj.....t~3.)O..l.i...B.?.[ n..8.....?.k n..!I..Y.u?.,........R..V@.O.B..j...~....U.8C......n...'..e....)?..(...!I..YF6?.Y.X'..6....l p....%[....p..,..L..b..Z....-..7..h..p.O.....h..p.O..r.....h\|.qdO..*3.L...f.n....Y..A..h.......Y..7.t..&........HC.....?..g'..a.8.....x...a.8..C.?.k.....7......C....s._.8.B.?..!....!.N@.?...I'...9..B:?..!..&q...h?..-....i....?...`...3..........C........"......`.....0!..V.X!.L.b?...`...i..X..?.Y.....X!..X.h?.C.....i..........f...,.+..,.U....V1>.....d..bq..U...x...n?.k....G1...' M.4......@7..t.'....2...7.......... ......Z~.@.O...q....\|.............s..o......X..`.....

C:\Users\user\AppData\Local\Temp\autFB52.tmp

Download File

Process:	C:\Users\user\Desktop\tSftorqHTy.exe
File Type:	data
Category:	dropped
Size (bytes):	60724
Entropy (8bit):	7.895533447021336
Encrypted:	false
SSDEEP:	768:cgS8IZo79pD/tj2hrJVNrGKb+y9htkCNA5XdgW+9ekoYcLJAZ2KO4HSxdo7yDVS3:YZ/rzAKieDBA3WoRbAZnr2RRgF
MD5:	C71531812B4CCCA1B16DEE511AAB37AD
SHA1:	9857AEB19BAC6ED551858C009BB373E211209EEE
SHA-256:	72EB7D608F5529DAA87FA23FF8BB1C11F126981A75C642B7B9E22B3C16D65A84
SHA-512:	DFBD3838B6F41C708D22439CB42A48EF80A7D06FCC5574EA96926A5788A59522D11D16886F012DEBE400F7C8C23F9BB2D1CCE8C93721EB396BDE677AB3D2427A
Malicious:	false
Reputation:	low
Preview:	EA06..n..F.tY...1.T+4=...4.Rf3`......(@.y....\| ...F......>...2.(..YG.Nhu...E,....=z.p..2..j. ...h..}.I....j......Y..._,....X..3....:.NC5.Rg ....t..X.,....L.mp..4Y...?5P..h..:,../....4.Vf3j...U.......7c....l..........hTP..../..]..Z..X.....f5....,..h....Q...`.....1._.s....X.......a2.!.....S..-...j.:..k....n........v.V` ...gg7.......mU....:,..I..@....q..Lf.....$...n.u...bk@.Mf...........,....p....,I...!.v.BS..I8.aF.,.............Z.XU.q.}f.K.....FmP...y.V.I..D.,..4.P.3J.f.2.Qf..L.mP..,.:,..M....5..O....+...B...R.Uf...T...>c6.........M.W.....B..U......X..Zmf.G.....,.....@..\|.....k6.....\.v...AB..c.....F.!,S...OU...1...'H..R..,z.c..^.}.GF...3......[n.L.mz......r.^.T+4.=.4.@.3j.f....l UE~.i..f.JLf.P..h7......!...-..6.Z.t...g<..G.Y...4.........&[60P......)1..B.....sKT.....1...:8..[....^iB..c.P...j.R.8....Q.Rm`)EJ.>.......i+..<...1..\q`-d...ZZ@k[].n..t-.. .......".........5....G.Pf.P...?..R.K .[W.D.*lo.O.s..JE.3...-y ..<..P...P.....2...gf3j.d.p......[..y

C:\Users\user\AppData\Local\Temp\lards

Download File

Process:	C:\Users\user\Desktop\tSftorqHTy.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	286758
Entropy (8bit):	2.8090187480860234
Encrypted:	false
SSDEEP:	12:v8r0N20S20pm0K20jE0O050G0W90iJE0hE0y0Lm0/kkkkkU0Ckkkkkki90EkkkkJ:u
MD5:	0C191B09CB9BA1D84125241322D524FC
SHA1:	F71EA17287C8B2A628E3DFD82380C7BABF2C2A8A
SHA-256:	EDBC2BA1C3E16A2D10894BE6636FC9D1FBF40523AEFE15432F6B7695D2535307
SHA-512:	187B7D5C841F305F2A315FC80B18EB1AF6C1FA4A1E3EEBE3A02ECB2A1F1532A8790017791EE3B0634C73EEEC0FE31B07CBF6EA0C2B580C2C805932416C735BA6
Malicious:	false
Reputation:	low
Preview:	2812506500281250650x281250650528125065052812506508281250650b281250650e281250650c28125065082812506501281250650e281250650c281250650c281250650c2812506500281250650228125065002812506500281250650028125065002812506505281250650628125065052812506507281250650b28125065082812506506281250650b28125065002812506500281250650028125065002812506500281250650028125065062812506506281250650828125065092812506504281250650528125065082812506504281250650b28125065092812506506281250650528125065002812506500281250650028125065002812506500281250650028125065062812506506281250650828125065092812506504281250650d28125065082812506506281250650b281250650a2812506507281250650228125065002812506500281250650028125065002812506500281250650028125065062812506506281250650828125065092812506505281250650528125065082812506508281250650b28125065082812506506281250650e2812506500281250650028125065002812506500281250650028125065002812506506281250650628125065082812506509281250650428125065052812506508281250650a281250650b281250650928125065062812506505

C:\Users\user\AppData\Local\Temp\lophophorine

Download File

Process:	C:\Users\user\Desktop\tSftorqHTy.exe
File Type:	data
Category:	dropped
Size (bytes):	93696
Entropy (8bit):	6.746422105992228
Encrypted:	false
SSDEEP:	1536:QN2Ro6U2DFpXWfw3T0bRReg2tgf9KnRH4SvRJIDTYP682SGJ6M7xVRhWBju+SRrS:q2RHpFAbre3ufgFHl6tSGp7TWBju+SR+
MD5:	2BD9B148FF0B7126AB53AEAAFC65B0E3
SHA1:	EFEA6C422E122C399D8ADFB2DEA6D8118F912285
SHA-256:	B917E61AF587E2F4DF89D58E4E74C99A8F1D1D5436FAB8EBB9870DA5CA1720B2
SHA-512:	32A0F06D9F14856B2E2472A2C8CE96C0B85BE7194C0754B639A7503D3A836CF95603D24D212925AAA7AC840C54F7F6CFC4F62A508303C17EC725AEED12AE29BB
Malicious:	false
Reputation:	low
Preview:	...E7BI12PYC..E4.I16PYCA.E4BI16PYCASE4BI16PYCASE4BI16PYCASE4.I16^F.OS.=.h.7..b.;,Gb9CY7+",s&U,'^Bp;&a!0Zb _....a>P'g<;Z}CASE4BIasPY.@PE.,..6PYCASE4.I37[X.AS!5BI96PYCAS.CI1.PYC.RE4B.16pYCAQE4FI16PYCAUE4BI16PY.@SE6BI16PYAA3.4BY16@YCASU4BY16PYCACE4BI16PYCAS..CIb6PYC.RE.GI16PYCASE4BI16PYCAS.5BE16PYCASE4BI16PYCASE4BI16PYCASE4BI16PYCASE4BI16PYCASE.BI96PYCASE4BI1>pYC.SE4BI16PYCA}1Q:=16P.!@SE.BI1RQYCCSE4BI16PYCASE4bI1V~+030E4B.46PY.@SE2BI1PQYCASE4BI16PYC.SEtl;TZ?:CA_E4BI.7PYAASEXCI16PYCASE4BI1vPY.ASE4BI16PYCASE4B.7PYCAS.4BI36UY..SE0.I15PYC.SE2.16.YCASE4BI16PYCASE4BI16PYCASE4BI16PYCASE4BI16.$.N...+:..PYCASE5@J50XQCASE4BI1HPYC.SE4.I16gYCAvE4B$16P}CAS;4BIO6PY'ASEFBI1WPYC.SE4-I16>YCA-E4BW3.OYCKyc4@a.6PSCk.6.BI;.QYCE g4BC.4PYG2pE4H.26P]0eSE>.M16TfASO.GI12z.CB.S2BIYhYCKSF.WO16KseAQm.BI;6z.CB.P2BI.rYA.ZE4FcgEMYCG{.4BCE?PYA.YE4Fc/4x.CAYo.<Z16TrCkq; BI5.Psa?FE4Fb1.r'UASA.Bc.HGYCExE.DcS6".OA#F[#I10x.CAYmtBI76zcC?]E4FK^.PYIgy.4j.16VYk.SE2Bab6P_Ci.E4DI.cPYEAy.4j.16VYk.SE2Bc.6.jCAWi3<z16TrU?bE4F.7NP

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	0.11984804614400055
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	tSftorqHTy.exe
File size:	80'740'352 bytes
MD5:	c2792411f364989ec0d213a3ab7c4f94
SHA1:	ea0aa28c567ba49407fe84f2df04d232ac7b9147
SHA256:	2bbb422d5c12723784ee8139173b72ebf1ee0b88ba45b7e6c08265e53dc2fb14
SHA512:	1a20a76fc0d77cc9c2c7c87cab18fde230a479e4ca2102f8097b51ea5e47fcd02573d5ef59f3c2b8e963b9ce3a816572db8edd10a01639bee44e7f710ae8e680
SSDEEP:	12288:ehkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aCYEhV1x2OF4:uRmJkcoQricOIQxiZY1iaC9hTF
TLSH:	0C08AF21F5C69036C2B323B19E7EF76A963D79360336D29727C82D315EA05416B2A733
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

File Icon


Icon Hash:	1733312925935517

Static PE Info

General

Entrypoint:	0x4165c1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	d3bf8a7746a8d1ee8f6e5960c3f69378

Entrypoint Preview

Instruction
call 00007FA0D882A8FBh
jmp 00007FA0D882176Eh
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+10h]
mov edi, dword ptr [ebp+08h]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FA0D88218EAh
cmp edi, eax
jc 00007FA0D8821A86h
cmp ecx, 00000080h
jc 00007FA0D88218FEh
cmp dword ptr [004A9724h], 00000000h
je 00007FA0D88218F5h
push edi
push esi
and edi, 0Fh
and esi, 0Fh
cmp edi, esi
pop esi
pop edi
jne 00007FA0D88218E7h
jmp 00007FA0D8821CC2h
test edi, 00000003h
jne 00007FA0D88218F6h
shr ecx, 02h
and edx, 03h
cmp ecx, 08h
jc 00007FA0D882190Bh
rep movsd
jmp dword ptr [00416740h+edx*4]
mov eax, edi
mov edx, 00000003h
sub ecx, 04h
jc 00007FA0D88218EEh
and eax, 03h
add ecx, eax
jmp dword ptr [00416654h+eax*4]
jmp dword ptr [00416750h+ecx*4]
nop
jmp dword ptr [004166D4h+ecx*4]
nop
inc cx
add byte ptr [eax-4BFFBE9Ah], dl
inc cx
add byte ptr [ebx], ah
ror dword ptr [edx-75F877FAh], 1
inc esi
add dword ptr [eax+468A0147h], ecx
add al, cl
jmp 00007FA0DAC9A0E7h
add esi, 03h
add edi, 03h
cmp ecx, 08h
jc 00007FA0D88218AEh
rep movsd
jmp dword ptr [00000000h+edx*4]

Rich Headers

Programming Language:

[ C ] VS2010 SP1 build 40219
[C++] VS2010 SP1 build 40219
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8d41c	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xab000	0x9328	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x82000	0x844	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8061c	0x80800	61ffce4768976fa0dd2a8f6a97b1417a	False	0.5583182605787937	data	6.684690148171278	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x82000	0xdfc0	0xe000	0354bc5f2376b5e9a4a3ba38b682dff1	False	0.36085728236607145	data	4.799741132252136	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x90000	0x1a758	0x6800	8033f5a38941b4685bc2299e78f31221	False	0.15324519230769232	data	2.1500715391677487	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xab000	0x9328	0x9400	495451d7eb8326bd9fa2714869ea6de8	False	0.49002322635135137	data	5.541804843154628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xab5c8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xab6f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xab818	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xab940	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	Great Britain	0.48109756097560974
RT_ICON	0xabfa8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	Great Britain	0.5672043010752689
RT_ICON	0xac290	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	Great Britain	0.6418918918918919
RT_ICON	0xac3b8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	Great Britain	0.7044243070362474
RT_ICON	0xad260	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	Great Britain	0.8077617328519856
RT_ICON	0xadb08	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	Great Britain	0.5903179190751445
RT_ICON	0xae070	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	Great Britain	0.5503112033195021
RT_ICON	0xb0618	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	Great Britain	0.6050656660412758
RT_ICON	0xb16c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	Great Britain	0.7553191489361702
RT_MENU	0xb1b28	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xb1b78	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xb1c78	0x530	data	English	Great Britain	0.33960843373493976
RT_STRING	0xb21a8	0x690	data	English	Great Britain	0.26964285714285713
RT_STRING	0xb2838	0x4d0	data	English	Great Britain	0.36363636363636365
RT_STRING	0xb2d08	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xb3308	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xb3968	0x388	data	English	Great Britain	0.377212389380531
RT_STRING	0xb3cf0	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.502906976744186
RT_GROUP_ICON	0xb3e48	0x84	data	English	Great Britain	0.6439393939393939
RT_GROUP_ICON	0xb3ed0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xb3ee8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xb3f00	0x14	data	English	Great Britain	1.25
RT_VERSION	0xb3f18	0x19c	data	English	Great Britain	0.5339805825242718
RT_MANIFEST	0xb40b8	0x26c	ASCII text, with CRLF line terminators	English	United States	0.5145161290322581

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
MPR.dll	WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
PSAPI.DLL	EnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
KERNEL32.dll	HeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
USER32.dll	GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
GDI32.dll	DeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
SHELL32.dll	DragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
OLEAUT32.dll	VariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

Version Infos

Description	Data
FileDescription
FileVersion	3, 3, 8, 1
CompiledScript	AutoIt v3 Script: 3, 3, 8, 1
Translation	0x0809 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-07T22:13:48.432256+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49695	132.226.247.73	80	TCP
2025-03-07T22:13:57.604075+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49695	132.226.247.73	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 22:13:47.475976944 CET	49695	80	192.168.2.5	132.226.247.73
Mar 7, 2025 22:13:47.481070995 CET	80	49695	132.226.247.73	192.168.2.5
Mar 7, 2025 22:13:47.481260061 CET	49695	80	192.168.2.5	132.226.247.73
Mar 7, 2025 22:13:47.481545925 CET	49695	80	192.168.2.5	132.226.247.73
Mar 7, 2025 22:13:47.486589909 CET	80	49695	132.226.247.73	192.168.2.5
Mar 7, 2025 22:13:48.163207054 CET	80	49695	132.226.247.73	192.168.2.5
Mar 7, 2025 22:13:48.167109966 CET	49695	80	192.168.2.5	132.226.247.73
Mar 7, 2025 22:13:48.172267914 CET	80	49695	132.226.247.73	192.168.2.5
Mar 7, 2025 22:13:48.375077009 CET	80	49695	132.226.247.73	192.168.2.5
Mar 7, 2025 22:13:48.390475035 CET	49696	443	192.168.2.5	104.21.16.1
Mar 7, 2025 22:13:48.390563965 CET	443	49696	104.21.16.1	192.168.2.5
Mar 7, 2025 22:13:48.390654087 CET	49696	443	192.168.2.5	104.21.16.1
Mar 7, 2025 22:13:48.397408009 CET	49696	443	192.168.2.5	104.21.16.1
Mar 7, 2025 22:13:48.397443056 CET	443	49696	104.21.16.1	192.168.2.5
Mar 7, 2025 22:13:48.432255983 CET	49695	80	192.168.2.5	132.226.247.73
Mar 7, 2025 22:13:51.057156086 CET	443	49696	104.21.16.1	192.168.2.5
Mar 7, 2025 22:13:51.057226896 CET	49696	443	192.168.2.5	104.21.16.1
Mar 7, 2025 22:13:51.062268019 CET	49696	443	192.168.2.5	104.21.16.1
Mar 7, 2025 22:13:51.062279940 CET	443	49696	104.21.16.1	192.168.2.5
Mar 7, 2025 22:13:51.062606096 CET	443	49696	104.21.16.1	192.168.2.5
Mar 7, 2025 22:13:51.104065895 CET	49696	443	192.168.2.5	104.21.16.1
Mar 7, 2025 22:13:51.105880976 CET	49696	443	192.168.2.5	104.21.16.1
Mar 7, 2025 22:13:51.152321100 CET	443	49696	104.21.16.1	192.168.2.5
Mar 7, 2025 22:13:51.745806932 CET	443	49696	104.21.16.1	192.168.2.5
Mar 7, 2025 22:13:51.745986938 CET	443	49696	104.21.16.1	192.168.2.5
Mar 7, 2025 22:13:51.746074915 CET	49696	443	192.168.2.5	104.21.16.1
Mar 7, 2025 22:13:51.753473997 CET	49696	443	192.168.2.5	104.21.16.1
Mar 7, 2025 22:13:57.342660904 CET	49695	80	192.168.2.5	132.226.247.73
Mar 7, 2025 22:13:57.347753048 CET	80	49695	132.226.247.73	192.168.2.5
Mar 7, 2025 22:13:57.553792000 CET	80	49695	132.226.247.73	192.168.2.5
Mar 7, 2025 22:13:57.604074955 CET	49695	80	192.168.2.5	132.226.247.73
Mar 7, 2025 22:13:58.062886000 CET	49697	587	192.168.2.5	198.59.144.139
Mar 7, 2025 22:13:58.067989111 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:13:58.068130016 CET	49697	587	192.168.2.5	198.59.144.139
Mar 7, 2025 22:13:58.646527052 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:13:58.668946981 CET	49697	587	192.168.2.5	198.59.144.139
Mar 7, 2025 22:13:58.674045086 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:13:58.806878090 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:13:58.849420071 CET	49697	587	192.168.2.5	198.59.144.139
Mar 7, 2025 22:13:58.854592085 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:13:58.988398075 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:13:58.989329100 CET	49697	587	192.168.2.5	198.59.144.139
Mar 7, 2025 22:13:58.994400024 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:13:59.144728899 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:13:59.144746065 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:13:59.144757032 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:13:59.144830942 CET	49697	587	192.168.2.5	198.59.144.139
Mar 7, 2025 22:13:59.177700043 CET	49697	587	192.168.2.5	198.59.144.139
Mar 7, 2025 22:13:59.182914972 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:13:59.314831018 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:13:59.318135977 CET	49697	587	192.168.2.5	198.59.144.139
Mar 7, 2025 22:13:59.323251963 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:13:59.455163956 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:13:59.456279993 CET	49697	587	192.168.2.5	198.59.144.139
Mar 7, 2025 22:13:59.461419106 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:13:59.593523979 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:13:59.594819069 CET	49697	587	192.168.2.5	198.59.144.139
Mar 7, 2025 22:13:59.599837065 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:13:59.766954899 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:13:59.767254114 CET	49697	587	192.168.2.5	198.59.144.139
Mar 7, 2025 22:13:59.772316933 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:13:59.903814077 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:13:59.904144049 CET	49697	587	192.168.2.5	198.59.144.139
Mar 7, 2025 22:13:59.909176111 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:14:00.070619106 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:14:00.070811987 CET	49697	587	192.168.2.5	198.59.144.139
Mar 7, 2025 22:14:00.075879097 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:14:00.207189083 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:14:00.211755037 CET	49697	587	192.168.2.5	198.59.144.139
Mar 7, 2025 22:14:00.212091923 CET	49697	587	192.168.2.5	198.59.144.139
Mar 7, 2025 22:14:00.212091923 CET	49697	587	192.168.2.5	198.59.144.139
Mar 7, 2025 22:14:00.212091923 CET	49697	587	192.168.2.5	198.59.144.139
Mar 7, 2025 22:14:00.212182999 CET	49697	587	192.168.2.5	198.59.144.139
Mar 7, 2025 22:14:00.212260008 CET	49697	587	192.168.2.5	198.59.144.139
Mar 7, 2025 22:14:00.212260008 CET	49697	587	192.168.2.5	198.59.144.139
Mar 7, 2025 22:14:00.212392092 CET	49697	587	192.168.2.5	198.59.144.139
Mar 7, 2025 22:14:00.217529058 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:14:00.218008995 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:14:00.218030930 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:14:00.219127893 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:14:00.219139099 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:14:00.397594929 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:14:00.494776964 CET	49697	587	192.168.2.5	198.59.144.139
Mar 7, 2025 22:14:47.573312998 CET	49695	80	192.168.2.5	132.226.247.73
Mar 7, 2025 22:14:47.578838110 CET	80	49695	132.226.247.73	192.168.2.5
Mar 7, 2025 22:14:47.578958035 CET	49695	80	192.168.2.5	132.226.247.73
Mar 7, 2025 22:15:37.589014053 CET	49697	587	192.168.2.5	198.59.144.139
Mar 7, 2025 22:15:37.594099998 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:15:37.726352930 CET	587	49697	198.59.144.139	192.168.2.5
Mar 7, 2025 22:15:37.732439995 CET	49697	587	192.168.2.5	198.59.144.139

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 22:13:47.461940050 CET	55152	53	192.168.2.5	1.1.1.1
Mar 7, 2025 22:13:47.470271111 CET	53	55152	1.1.1.1	192.168.2.5
Mar 7, 2025 22:13:48.379676104 CET	60325	53	192.168.2.5	1.1.1.1
Mar 7, 2025 22:13:48.388391972 CET	53	60325	1.1.1.1	192.168.2.5
Mar 7, 2025 22:13:57.563780069 CET	59432	53	192.168.2.5	1.1.1.1
Mar 7, 2025 22:13:58.061786890 CET	53	59432	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 7, 2025 22:13:47.461940050 CET	192.168.2.5	1.1.1.1	0x6db6	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:13:48.379676104 CET	192.168.2.5	1.1.1.1	0xba03	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:13:57.563780069 CET	192.168.2.5	1.1.1.1	0xc58b	Standard query (0)	mail.grupomaya.mx	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 7, 2025 22:13:47.470271111 CET	1.1.1.1	192.168.2.5	0x6db6	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 7, 2025 22:13:47.470271111 CET	1.1.1.1	192.168.2.5	0x6db6	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:13:47.470271111 CET	1.1.1.1	192.168.2.5	0x6db6	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:13:47.470271111 CET	1.1.1.1	192.168.2.5	0x6db6	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:13:47.470271111 CET	1.1.1.1	192.168.2.5	0x6db6	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:13:47.470271111 CET	1.1.1.1	192.168.2.5	0x6db6	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:13:48.388391972 CET	1.1.1.1	192.168.2.5	0xba03	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:13:48.388391972 CET	1.1.1.1	192.168.2.5	0xba03	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:13:48.388391972 CET	1.1.1.1	192.168.2.5	0xba03	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:13:48.388391972 CET	1.1.1.1	192.168.2.5	0xba03	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:13:48.388391972 CET	1.1.1.1	192.168.2.5	0xba03	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:13:48.388391972 CET	1.1.1.1	192.168.2.5	0xba03	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:13:48.388391972 CET	1.1.1.1	192.168.2.5	0xba03	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Mar 7, 2025 22:13:58.061786890 CET	1.1.1.1	192.168.2.5	0xc58b	No error (0)	mail.grupomaya.mx	grupomaya.mx		CNAME (Canonical name)	IN (0x0001)	false
Mar 7, 2025 22:13:58.061786890 CET	1.1.1.1	192.168.2.5	0xc58b	No error (0)	grupomaya.mx		198.59.144.139	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49695	132.226.247.73	80	6584	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 22:13:47.481545925 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Mar 7, 2025 22:13:48.163207054 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 21:13:48 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 7, 2025 22:13:48.167109966 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 7, 2025 22:13:48.375077009 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 21:13:48 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Mar 7, 2025 22:13:57.342660904 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Mar 7, 2025 22:13:57.553792000 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 21:13:57 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49696	104.21.16.1	443	6584	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 21:13:51 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-03-07 21:13:51 UTC	853	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 21:13:51 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 11475 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 07 Mar 2025 18:02:35 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jjLfMkEqf0bOo08QWFDtLSyynRfjyOPz9As%2Fn9WrGqYNwzSDsb5XgEkCiXtGaD14n16KG6nAN0MJ9H5QMfd9Jf%2Fh78nuQuZB5HCbwX5MjIer8xMuiAmvx1YJ5Flg5R6ydR3YJcA0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 91cd1960de8c091c-LAX alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=11468&min_rtt=11358&rtt_var=3389&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=242240&cwnd=236&unsent_bytes=0&cid=d3a90c404379677b&ts=694&x=0"
2025-03-07 21:13:51 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Mar 7, 2025 22:13:58.646527052 CET	587	49697	198.59.144.139	192.168.2.5	220-svgt326.serverneubox.com.mx ESMTP Exim 4.98.1 #2 Fri, 07 Mar 2025 15:13:58 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Mar 7, 2025 22:13:58.668946981 CET	49697	587	192.168.2.5	198.59.144.139	EHLO 287400
Mar 7, 2025 22:13:58.806878090 CET	587	49697	198.59.144.139	192.168.2.5	250-svgt326.serverneubox.com.mx Hello 287400 [8.46.123.189] 250-SIZE 52428800 250-LIMITS MAILMAX=1000 RCPTMAX=50000 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Mar 7, 2025 22:13:58.849420071 CET	49697	587	192.168.2.5	198.59.144.139	STARTTLS
Mar 7, 2025 22:13:58.988398075 CET	587	49697	198.59.144.139	192.168.2.5	220 TLS go ahead

Target ID:	0
Start time:	16:13:43
Start date:	07/03/2025
Path:	C:\Users\user\Desktop\tSftorqHTy.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\tSftorqHTy.exe"
Imagebase:	0x400000
File size:	80'740'352 bytes
MD5 hash:	C2792411F364989EC0D213A3AB7C4F94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.1375265324.0000000000AA0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:13:45
Start date:	07/03/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\tSftorqHTy.exe"
Imagebase:	0x840000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2594091779.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2594091779.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000002.00000002.2594091779.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2594091779.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2594091779.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2595080414.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report tSftorqHTy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autF585.tmp

C:\Users\user\AppData\Local\Temp\autFB52.tmp

C:\Users\user\AppData\Local\Temp\lards

C:\Users\user\AppData\Local\Temp\lophophorine

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
tSftorqHTy.exe